[FrontDoor] Fix managed-rule add issue for Microsoft_DefaultRuleSet with version 2.0 and greater (#5458)

Co-authored-by: Bo Zhang <[email protected]>

Author: t-bzhan

src/front-door/HISTORY.rst

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+1.0.17
+++++++
+* az network front-door waf-policy managed-rules add: Fix managed-rule add issue for Microsoft_DefaultRuleSet with version 2.0 or higher.
+
 1.0.16
 ++++++
 * az network front-door routing-rule update: Fix unexpected configuration override when updating routing rule.

src/front-door/azext_front_door/_params.py

@@ -31,7 +31,7 @@ def load_arguments(self, _):
     from azext_front_door.vendored_sdks.models import (
         PolicyMode, FrontDoorProtocol, FrontDoorHealthProbeMethod, FrontDoorCertificateSource, FrontDoorQuery, ActionType, RuleType, TransformType,
         FrontDoorRedirectType, FrontDoorRedirectProtocol, MinimumTLSVersion, Transform, HeaderActionType, RulesEngineOperator, RulesEngineMatchVariable,
-        FrontDoorForwardingProtocol, MatchProcessingBehavior, PolicyRequestBodyCheck, SkuName, ResourceType
+        FrontDoorForwardingProtocol, MatchProcessingBehavior, PolicyRequestBodyCheck, SkuName, ResourceType, ManagedRuleSetActionType
     )
 
     frontdoor_name_type = CLIArgumentType(options_list=['--front-door-name', '-f'], help='Name of the Front Door.', completer=get_resource_name_completion_list('Microsoft.Network/frontdoors'), id_part='name')
@@ -175,9 +175,10 @@ def load_arguments(self, _):
 
     with self.argument_context('network front-door waf-policy managed-rules add') as c:
         c.argument('policy_name', waf_policy_name_type)
-        c.argument('action', arg_type=get_enum_type(ActionType), help='Action for applied rulesets.')
-        c.argument('rule_set_type', options_list=['--type'], help='ID of the ruleset to apply.')
+        c.argument('rule_set_type', options_list=['--type'], help='Ruleset type to use.')
         c.argument('version', help='Rule set version.')
+        c.argument('rule_set_action', options_list=['--action'], arg_type=get_enum_type(ManagedRuleSetActionType),
+                   help='Action for applied rulesets, only required for Microsoft_DefaultRuleSet with version 2.0 or higher.')
 
     with self.argument_context('network front-door waf-policy managed-rules list') as c:
         c.argument('policy_name', waf_policy_name_type, id_part=None)

src/front-door/azext_front_door/custom.py

@@ -792,13 +792,14 @@ def update_waf_policy(instance, tags=None, mode=None, redirect_url=None,
     return instance
 
 
-def add_azure_managed_rule_set(cmd, resource_group_name, policy_name, rule_set_type, version):
+def add_azure_managed_rule_set(cmd, resource_group_name, policy_name, rule_set_type, version, rule_set_action=None):
     from azext_front_door.vendored_sdks.models import ManagedRuleSet
     client = cf_waf_policies(cmd.cli_ctx, None)
     policy = client.get(resource_group_name, policy_name)
     rule_set = ManagedRuleSet(
         rule_set_type=rule_set_type,
-        rule_set_version=version
+        rule_set_version=version,
+        rule_set_action=rule_set_action,
     )
 
     policy_rule_sets = policy.managed_rules.managed_rule_sets

src/front-door/azext_front_door/tests/latest/recordings/test_waf_exclusions.yaml

@@ -313,6 +313,17 @@ def test_waf_policy_managed_rules(self, resource_group):
         self.assertIn('managedRules', result)
         self.assertEqual(len(result['managedRules']['managedRuleSets']), 0)
 
+        type = "Microsoft_DefaultRuleSet"
+        version = "2.0"
+        action = "Block"
+        cmd = 'az network front-door waf-policy managed-rules add -g {resource_group} --policy-name {policyName} --type {type} --version {version} --action {action}'.format(**locals())
+        result = self.cmd(cmd).get_output_in_json()
+
+        self.assertIn('managedRules', result)
+        self.assertEqual(result['managedRules']['managedRuleSets'][0]['ruleSetType'], type)
+        self.assertEqual(result['managedRules']['managedRuleSets'][0]['ruleSetVersion'], version)
+        self.assertEqual(result['managedRules']['managedRuleSets'][0]['ruleSetAction'], action)
+
         cmd = 'az network front-door waf-policy managed-rule-definition list'
         result = self.cmd(cmd).get_output_in_json()
         defaultRuleSet = [ruleSet for ruleSet in result if ruleSet['ruleSetType'] == type][0]

src/front-door/azext_front_door/tests/latest/recordings/test_waf_policy_basic.yaml

@@ -8,7 +8,7 @@
 from codecs import open
 from setuptools import setup, find_packages
 
-VERSION = "1.0.16"
+VERSION = "1.0.17"
 
 CLASSIFIERS = [
     'Development Status :: 4 - Beta',